This month’s Microsoft Patch Tuesday addresses 99 vulnerabilities with 12 of them labeled as Critical. Of the 12 Critical vulns, 7 are for browser and scripting engines, 2 are for Remote Desktop Client, and the remaining 3 are for LNK files, Media Foundation, and Windows. The IE 0-day disclosed in January is patched as part of the scripting engine fixes. Microsoft also issued a patch for an RCE in Exchange.
Adobe issued patches today for Experience Manager, Digital Editions, Flash Player, Acrobat/Reader, and Framemaker.
The Scripting Engine, LNK files, and Media Foundation vulns in this release means that patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Actively Attacked 0-Day in IE
Microsoft has also released a fix for a Windows vulnerability (CVE-2020-0662) that could lead to Remote Code Execution if an attacker has Domain User credentials. While this vulnerability is labeled as “Exploitation Less Likely,” this vulnerability can be attacked over the network with no user interaction according to the CVSS Vector Strings set by Microsoft. The impacted service is not stated in the bulletin. Based on the information given, this should be prioritized across all Windows servers and workstations.
Microsoft has also fixed a Remote Code Execution vulnerability (CVE-2020-0688) in Exchange. This vulnerability can allow an attacker to execute arbitrary code as System by sending a specially crafted email to the Exchange server. This patch should be prioritized for any Exchange servers, despite being labeled as “Important.”
Remote Desktop Client RCEs
Two Remote Code Execution vulnerabilities (CVE-2020-0681 & CVE-2020-0734) have been patched in the Remote Desktop Client. Exploiting these vulnerabilities would require a target to connect to a malicious Remote Desktop Server.
Microsoft also released patches (ADV200002) for Chromium-based Edge covering 4 vulnerabilities on January 17th and 37 more on February 7th.
Adobe issued patches today covering multiple vulnerabilities in Experience Manager, Digital Editions, Flash Player, Acrobat/Reader, and Framemaker. The patches for Flash, Acrobat/Reader, and Experience Manager are labeled as Priority 2, with the others set to Priority 3. On January 28th, Adobe also issued an out-of-band patch for Magento, labeled as Priority 2.
While none of the vulnerabilities disclosed in Adobe’s release are known to be Actively Attacked today, all patches should be prioritized on systems with these products installed.